Alex van den Bogaerdt wrote:
People publishing "?all" only want to authorize certain hosts without
rolling out SPF over the rest of the (not: their) infrastructure.
After all: ?all means "treat the rest as if no policy was published".
These people have understood what is published in RFC4408 very well,
and made a careful considered decision. They deserve respect for
thinking and playing by the rules.
I disagree with, but respect, people that see more in an SPF policy
than the specification says. A host is authorized or not. It doesn't
matter if there are one, ten or a hundred different entities behind
it, all of which are able to use each other's domains. That's not in
the specification thus not in the protocol. It is an entire different
layer of security.
An SPF "PASS" does not mean: "the email is verified". It means
"the host was authorized" and nothing more.
If you unilaterally change the meaning of SPF, you are probably
going to disappoint people; either yourself or others. One example
of interpreting SPF in a way it was not designed, is MS's senderID.
+1
It's IMNSHO an utter dubious idea to treat "?all" different from a "?"
elsewhere. It's also perfectly okay to offer "PASS or ?all" policies
for inclusion.
If we can agree on that I could send a "publication request" for the
op=auth stuff to the IESG even if it's nowhere implemented, that would
offer the missing HARDPASS for those who want it.
Frank
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735